UDP connection request

I often receive firewall (Outpost on 98SE) alerts that some computer is trying to connect to IE, via UDP on such & such port. I instinctively block such connections, but I'm wondering if there is anything legitimate that would need to connect using this protocol. Would it be appropriate to set a general rule to block all such communication attempts?

Re: UDP connection request

I don't pretend to know anything about the protocol or why it is used, but my Sygate log has many UDP connections daily. A few examples are "polling" from my cable provider, the little utility called About Time that I use to maintian my clock, and so on. However, as I scan the log, they seem to always involve an outgoing AND an imcoming record (packets?) so I never question it, since they're all elements that I know about. If yours are incoming only, does it not give an indication of the IP address so you could do a Whois to see what you can learn?

Re: UDP connection request

Hi Al

I should have been more specific - Is there a valid reason why something external would want to communicate on my browser (IE6) port, using UDP? I might ask my ISP if they use UDP in the manner you describe, but (also with little knowledge) I can't see its relevance to the browser. There may be a corresponding outbound communication if I allowed the inbound one, but I've not done this so far, so I can't tell. And unfortunately I haven't retained a log file for the purpose of tracing - maybe I should start.

cheers

Alan

Edited - Looking at the connections for my current session only, there are UDP connections outbound to my cable ISP (I've blocked inbound altogether now). The remote port is reported as "DNS", and one of the reasons for the connection is to allow DNS resolution.

Re: UDP connection request

What do you mean by your browser port? Typically your applications will be assigned a random port number, so anything inbound to that port number has a good chance of knowing something about your communications during the current session.

TCP is used where you want to make sure you got the whole communication. Most applications use TCP; only a few use UDP, which does not check that packets were delivered. DNS uses UDP, I guess it's easier to make the application ask again than to use TCP. Streaming audio and video may use UDP because there's no point in re-sending a lost packet from half a second ago.

Re: UDP connection request

The kind of information I get from the firewall alert is something along the lines of "so and so IP address is trying to connect with iexplore.exe via UDP" or similar. I presumed from this that "it" was trying to use the port usually assigned to HTTP (the browser port?) I'm not that sure of what tree I'm barking up here though.

I'm pretty sure that it wouldn't be streaming AV, since there's nothing related to that on the pages in the browser, but maybe it's something else suited to a datagram, like confirmation of my IP address by my cable ISP?

Re: UDP connection request

I don't think I've ever seen that, but I'm also behind the corporate firewall most of the time, so maybe that's why. Because Internet Explorer uses ephemeral (temporary) ports for normal browing, I would not expect Outpost to think a particular port is assigned to it. On the other hand, you might have an add-in or something that does have a fixed port number. I guess if you find something not working, you'll know what it was. <img src=/S/smile.gif border=0 alt=smile width=15 height=15>

Re: UDP connection request

Hi Jefferson (and Bigal re: your lookup suggestion)

I disabled the firewall rule I had in place to block these connections, waited a couple of day, and bingo. A typical alert + trace is attached below. The site is just some ISP/hosting service I have no connection with (pardon pun). Unfortunately my firewall doesn't offer the option to allow/ block these requests on an individual basis. It goes into "Learning Mode", which I don't understand yet.

So what I've done is to create a rule that blocks any and all requests to IE that use the UDP protocol. But the question remains - is there a legitimate reason for anything (not just some unknown computer) to try to talk to a browser using UDP?

Alan

Edited - Just got another from the same remote port on 203.192.46.103, which I can't trace, ping or lookup.

Re: UDP connection request

Thanks Dave. I don't believe I have any connection at all with this mob, so I'm quite happy to shut them out. <img src=/S/grin.gif border=0 alt=grin width=15 height=15> But what service did you use to glean this info, and how did you know what DNS range to search for?

Re: UDP connection request

Do you have the free version? In the Pro $$ version, there is a detailed log of the "allowed" transmissions. If you have such a log, do you see anything that might conceivably have invited these contacts? (I'd go by the timestamps...)

Re: UDP connection request

I use the freebie and do have a log file. I can't see anything that would be associated with such unknown connections though. They seem like the same ilk as those random pings one hears of, with computers sweeping DNS ranges to see what's "live". I notice that there is a lot of UDP traffic generally, but these "strange" host computers are always the ones trying to communicate with IE. Comms from my ISP, for instance, are logged as being with OUTPOST, not aimed at the browser. I'm going to run with my IE blocking rule for now, and see what happens I guess.